Monday, May 10, 2010

Offensive Security Part 2 -- KilltheN00b Walk Through

How Strong is Your FU hacker challengePart 2

Target 2:KilltheN00b

After some chips, salsa and a supersized burrito from el habinaro i was down for anouther challenge. I logged into the offsec labs and reviewed some of the documentation on the contest page that stated there were 2 targets.

Killthen00b
Ghost

After a quick portscan I chose to attack killthen00b purely based on the amount of open ports available on the system. Ghost provided port HTTP only. KilltheN00b had various ports open including FTP, HTTP and some various mail ports.

More ports = = more fun ??
More Targets = = more fun??
All Girls Just want to have fun?? Wait no that's a song LOL

Probably a wrong assumption, but its a good theory to cling to when things get rough

Initial FTP probing:

First thing i did was log into the FTP server with credentials that were provided on the offsec page. After logging into the FTP server there wasnt much to play with in any available directories so i decided to try to hop out of the FTP environment.

I tried to hop out of the ftp directory structure via directory traversal attacks with "cd ../../../../../"... Failed, so I then flipped the slashes to "cd ..\..\..\..\..\" and the response back indicated a fail. So i decided to directly call the root directory with "cd c:".

Score

Cd C: correctly hopped me into a directory with loads of files available. I also seemed to be able to browse to a directory with system32 files. My actual first thought was to replace the system32 directory program Magnify.exe with my evil payload so that at the Remote desktop login the accessibility options would become a shell. But unfortunately I didnt have access to write to that directory so i moved on. After browsing files for awhile I decided this ftp session was a bust and logged out.

HTTP:

Next I decided to hit up the web page located on KilltheN00b. The webserver indicated an application by the name of "surgemail".

Also i noted the scripts directory on this site seemed to execute pages with a EXE extension. Very interesting...

I then checked the exploit databases and verified an exploit for the version of surgemail running that was valid for windows 2000 and 2003.

Debugging:

Next I decided to check the remote desktop port to find out killthen00b was running a Win7 operating system and the exploit would need modification before it would work. This was a

TOTAL FAIL

I loaded up the debugger and started modifying the exploit and realized that I was unable to control EIP after a bit of wrestling with the exploits located on exploitDB... Either due to my lack of advanced level exploitation or the differences in operating systems or its protection mechanisms i only had control of certain parts of the stack but no EIP overwrite. To be correct, rather partial overwrite of EIP in this exploit which utilized the OS already providing a zero byte on the first byte of the 4 byte EIP to bypass filters on insertion the overflow utilized what was already present, (I like that) otherwise our null stop execution of the program prematurely.

Before going further with this I realized this exploit was a post authentication exploit and would need a user account. grrrr

More Web:

I browsed around the the surgemail pages for awhile trying attacks against authentication and authorization without much success till i hit a /domainadmin management page. On this page i was able to guess a password of test/test using burp "comparer" to compare my responses and noticed one of the outputs said "Account Details". I then verified that I could log into the server by logging into another port used for changing passwords "poppassd" located on port 106. The found login worked,

Woot i could now use that exploit if i can get the exploit to work.. however this was still a fail after messing with it for a few hours.

Back to FTP:

After noticing the EXE files with a possible execution on the webpage i decided to hit the FTP session back up and see if I can get to the scripts directory. After messing around for awhile I realized that the "cd ..\..\" actually was working and after a few iterations got me to the root directory. I browsed to the surgemail/scripts directory

Now we have our test shell to try, which I then uploaded to the ftp server in the surgemail/scripts directory this directory also contained other exe files such as webmail.exe

Back to the web part 2:the evil upload

Back on the web it was time to browse to the scripts directory and cross my fingers and toes, along with yelling at my friends to cross their fingers and toes too!!! Very important that all the bases are covered in information security..

Offensive Security in depth!!! or something like that..(Wishful thinking)

So i started a multihandler for metasploit first, just in case the reverseshell worked.

I then proceded to browse to the directory with all bodyparts crossed.....Hoping for connect back

SCORE!!!!!

My connection status in metasploit then indicated i had an open session. :)

Post Explotation:

With a shiny shell in hand I first dropped the hashes via meterpreter hashdump but i noticed from the sequence of charactors the LM hashes were blank. So I decided to just create my own user using the following scenerio.

But i like GUI's so lets get remote desktop, and I noted in an earlier attempt to log into window with my ftp credentials that i needed to be part of the remote desktop users group.. so lets be part of the cool kids group shall we??

SCORE I can now login with domain admin on a pretty gui interface provided by microsoft.. Thanks microsoft :) and thanks metaploit.

After logging into the windows7 machine I quickly found my proofs.txt and added it to the online scoreboard to raise me up to 50pts total. Job well done...Thanks to steponequit and carnalownage and sygog for calaborating on attack possibilities, sometimes multiple minds work better even if its not the solution possibilities for the future arise

Lessons Learned:

-Dont listen to other peoples chatter and take it as truth.While I was in IRC everyone was talking about compiling code and getting payloads correct..
-I knew better, I knew there was an easier way and only wasted a limited amount of time on exploit writing. I am sure there is a way to transfer that exploit but messing around all day isn't going to get me past the challenge.
-Again go with your initial observations of the application. My observation that the webpage was executing EXE files ultimately got me into the application even though i veered off the path for awhile listening to people in the IRC chat about payloads.
-Also again always trying things twice and CONFIRM.... Initially i thought i didn't have the traversal. it turns out i did 3 hours before I used it!

Remediation:

-Check the ACL's and the Jails on your FTP servers and make sure they are not traverseable.
-Review your applications for any known exploitable 3rd party software and update
-Do antivirus checking on file uploads to stop payloads from being uploaded and executed
-Do egress filtering to stop unnecessary ports from calling back to listeners on attackers machines

Get a HUGE security budget and hire me to run all your penetration tests for twice your average cost!!! Preferably from the beach externally :) Dont forget to add redbull and sourpatch kids to the budget!!! They are ESSENTIAL to my findings.

Closing notes:
I then went to the gym to wake up my forgotten muscles from sitting around all day and night... This was over 24 hours into this Challenge, I cheated and took a little (LONG) nap somewhere in there too.. I know I know.. sleeping on the job, but hey there was a pillow close by and I ran out of the redbull..

Up next: Part 3

Dropping shells on the Ghost and watching him laugh as he ultimately owns me!!!!